SSL/TLS encrypts the connection between a user and a website, scrambling the data that is sent back and forth. Without SSL/TLS, someone one the same network can see data in clear text and, in this case, any password sent to CNBC.

"Worried about security? Enter your password into this @CNBC website (over HTTP, natch). What could go wrong," Felt wrote on Twitter. "Alternately, feel free to tweet your password @ me and have the whole security community inspect it for you."

The form also sent passwords to advertising networks and other parties with trackers on CNBC's page, according to Ashkan Soltani, a privacy and security researcher, who posted a screenshot.

The companies that received copies of the passwords included Google's DoubleClick advertising service and Scorecard Research, an online marketing company that is part of comScore.

Despite saying the tool would not store passwords, traffic analysis showed it was actually storing them in a Google Docs spreadsheet, according to Kane York, who works on the Let's Encrypt project.

"The 'submit' button loads your password into a @googledocs spreadsheet!," York wrote.

In an interview over email, York said he has written some macros for Google Docs and recognized the domain "script.google.com."

He watched what happened after a password was submitted using the developer tools in Google's Chrome browser. He saw this: {result: "success", row: 1285}.

"Specifically, that 'row' increased by one each time I clicked the button," York said. "I was pretty sure that they were inserting the rows into a spreadsheet.

Luckily, the spreadsheet was marked as private, so it wouldn't have been accessible to the public.

Efforts to reach CNBC and the author of the story were not immediately successful.